Russ Allbery <r...@debian.org> writes: > Also, source package builds generally aren't done inside sbuild if I > remember the architecture correctly.
I believe you are correct. In my own config, which uses cowbuilder to provide the clean chroot build environment, the process I use creates a source package in the cloned repo in my normal filesystem, then hands that source package into the clean chroot build environment where it is used to build binary packages. I test those packages in various ways, and if I like the test results, I sign and upload the source package. In that way, I'm at least testing the source package I create even if I'm not carefully inspecting it? >> I'm opposed to trusting only a signed git tag in your proposed >> implementation, when it has been proven we can do much better. > > "Proven" to me implies that we have an implementation of tag2upload that > has better security properties. I don't think this is true? If it is, > I'd love to look at it. I agree. I think tag2upload or something like it would be a really useful addition to Debian infrastructure. If there's a better way to do what the tag2upload proposal does, great, but time has shown that Debian makes better decisions when comparing competing implementations expressed as source code than merely as human assertions. Bdale
signature.asc
Description: PGP signature
